Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_7413.exe

Overview

General Information

Sample Name:PO_7413.exe
Analysis ID:830617
MD5:1b3b644b48693ffea0d42032e778906b
SHA1:2a26e739cae611522e94853194499765aa7ba30c
SHA256:79bcc176d961b06ff3f7af0000c16e8fae56cf03b504153e439ecbccfaa34bbf
Tags:agentteslaexe
Infos:

Detection

AgentTesla, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PO_7413.exe (PID: 3084 cmdline: C:\Users\user\Desktop\PO_7413.exe MD5: 1B3B644B48693FFEA0D42032E778906B)
    • PO_7413.exe (PID: 6100 cmdline: C:\Users\user\Desktop\PO_7413.exe MD5: 1B3B644B48693FFEA0D42032E778906B)
    • PO_7413.exe (PID: 4636 cmdline: C:\Users\user\Desktop\PO_7413.exe MD5: 1B3B644B48693FFEA0D42032E778906B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.printshopgt.com", "Username": "recepcion@printshopgt.com", "Password": "R3cGT17*"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: PO_7413.exe PID: 4636JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: PO_7413.exe PID: 4636JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PO_7413.exe.378e940.4.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            0.2.PO_7413.exe.378e940.4.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x70b4b:$s1: file:///
            • 0x70a5b:$s2: {11111-22222-10009-11112}
            • 0x70adb:$s3: {11111-22222-50001-00000}
            • 0x700dd:$s4: get_Module
            • 0x70368:$s5: Reverse
            • 0x14b5c0:$s5: Reverse
            • 0x6e1f4:$s6: BlockCopy
            • 0x14cc43:$s6: BlockCopy
            • 0x14b766:$s7: ReadByte
            • 0x70b5d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.566.96.134.29496905872839723 03/20/23-14:47:40.789390
            SID:2839723
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.566.96.134.29496905872851779 03/20/23-14:47:40.789531
            SID:2851779
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.566.96.134.29496905872840032 03/20/23-14:47:40.789531
            SID:2840032
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.566.96.134.29496905872030171 03/20/23-14:47:40.789390
            SID:2030171
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: PO_7413.exeReversingLabs: Detection: 30%
            Source: PO_7413.exeVirustotal: Detection: 40%Perma Link
            Machine Learning detection for sample
            Source: PO_7413.exeJoe Sandbox ML: detected
            Source: 2.2.PO_7413.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
            Source: 0.2.PO_7413.exe.378e940.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.printshopgt.com", "Username": "recepcion@printshopgt.com", "Password": "R3cGT17*"}
            Source: PO_7413.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: PO_7413.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: WXNg.pdbSHA256O source: PO_7413.exe
            Source: Binary string: WXNg.pdb source: PO_7413.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49690 -> 66.96.134.29:587
            Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49690 -> 66.96.134.29:587
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49690 -> 66.96.134.29:587
            Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49690 -> 66.96.134.29:587
            Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
            Source: global trafficTCP traffic: 192.168.2.5:49690 -> 66.96.134.29:587
            Source: global trafficTCP traffic: 192.168.2.5:49690 -> 66.96.134.29:587
            Source: PO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309639619.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
            Source: PO_7413.exe, 00000000.00000003.306402390.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306465269.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306497370.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306380254.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306358175.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wu
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: PO_7413.exe, 00000002.00000002.573339941.00000000029D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.printshopgt.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: PO_7413.exe, 00000000.00000003.312919072.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comJl
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comand
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comen
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comms
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.compef
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comr
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coms
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314590924.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com7
            Source: PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd%
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdTTF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comeded
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlic
            Source: PO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: PO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commK
            Source: PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiva7
            Source: PO_7413.exe, 00000000.00000003.309091289.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307673660.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307412713.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308652862.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308603977.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308204869.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308127982.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308409074.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307090748.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307291691.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308973363.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308162888.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309149145.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307957109.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308292309.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308917042.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308460070.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307145904.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308862175.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307814144.000000000575F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310155887.000000000572D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: PO_7413.exe, 00000000.00000003.310287732.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310370311.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310481524.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: PO_7413.exe, 00000000.00000003.309955974.0000000005723000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309839200.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns
            Source: PO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cntyp
            Source: PO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: PO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/g
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: PO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/x
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/K
            Source: PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/T
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
            Source: PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/on
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313437350.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
            Source: PO_7413.exe, 00000000.00000003.314712938.000000000572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: PO_7413.exe, 00000000.00000003.306497370.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: PO_7413.exe, 00000000.00000003.313407677.0000000005728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.coms
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309358449.0000000000B1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: PO_7413.exe, 00000000.00000003.310758013.000000000575F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: PO_7413.exe, 00000000.00000003.314488615.000000000572C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: mail.printshopgt.com

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PO_7413.exe
            Source: PO_7413.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 0_2_00A9C1E40_2_00A9C1E4
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 0_2_00A9E6200_2_00A9E620
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 0_2_00A9E6300_2_00A9E630
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEA9582_2_00CEA958
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEC9182_2_00CEC918
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CE9D402_2_00CE9D40
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEA0882_2_00CEA088
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CE5A022_2_00CE5A02
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF00402_2_05CF0040
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CFBB902_2_05CFBB90
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF52902_2_05CF5290
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF66602_2_05CF6660
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_0600B5E02_2_0600B5E0
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06004BA42_2_06004BA4
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_060000402_2_06000040
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06003AC72_2_06003AC7
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06003AD02_2_06003AD0
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06006BC02_2_06006BC0
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_060000302_2_06000030
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_0600E1582_2_0600E158
            Source: PO_7413.exe, 00000000.00000002.336165397.000000000364A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000000.304081466.00000000000F4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWXNg.exe, vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.352280355.00000000070D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.350412716.00000000056E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.336165397.00000000039CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4ad9a59-b33d-4d55-a700-559a300ec7fa.exe4 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.336165397.0000000003469000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.328662557.000000000249B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.328662557.000000000249B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4ad9a59-b33d-4d55-a700-559a300ec7fa.exe4 vs PO_7413.exe
            Source: PO_7413.exe, 00000002.00000002.570305709.0000000000CFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO_7413.exe
            Source: PO_7413.exe, 00000002.00000002.569046949.0000000000958000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO_7413.exe
            Source: PO_7413.exe, 00000002.00000002.568899826.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4ad9a59-b33d-4d55-a700-559a300ec7fa.exe4 vs PO_7413.exe
            Source: PO_7413.exeBinary or memory string: OriginalFilenameWXNg.exe, vs PO_7413.exe
            Source: PO_7413.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PO_7413.exeReversingLabs: Detection: 30%
            Source: PO_7413.exeVirustotal: Detection: 40%
            Source: PO_7413.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exeJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exeJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_7413.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
            Source: PO_7413.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\PO_7413.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeMutant created: \Sessions\1\BaseNamedObjects\ryXTJdrlWpWbGOmNsq
            Source: C:\Users\user\Desktop\PO_7413.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: PO_7413.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO_7413.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: PO_7413.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: WXNg.pdbSHA256O source: PO_7413.exe
            Source: Binary string: WXNg.pdb source: PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF79AF push edi; iretd 2_2_05CF79B2
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF9EA0 pushfd ; ret 2_2_05CF9EA1
            Source: PO_7413.exeStatic PE information: 0xE7AB8A5F [Sun Mar 1 20:49:35 2093 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.880495014103316
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 4692Thread sleep time: -40023s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 632Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 4924Thread sleep count: 4139 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -14757395258967632s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99734s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99616s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99483s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99373s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99243s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99111s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98938s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98779s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98171s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98062s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -97953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -97843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeWindow / User API: threadDelayed 4139Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 40023Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99843Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99734Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99616Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99483Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99373Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99243Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99111Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98938Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98779Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98641Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98500Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98390Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98281Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98171Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98062Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 97953Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 97843Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: PO_7413.exe, 00000002.00000002.570305709.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllro
            Source: C:\Users\user\Desktop\PO_7413.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\PO_7413.exeMemory written: C:\Users\user\Desktop\PO_7413.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exeJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exeJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Users\user\Desktop\PO_7413.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Users\user\Desktop\PO_7413.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEF670 GetUserNameW,2_2_00CEF670

            Stealing of Sensitive Information

            barindex
            Yara detected zgRAT
            Source: Yara matchFile source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPE
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO_7413.exe PID: 4636, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: Yara matchFile source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO_7413.exe PID: 4636, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected zgRAT
            Source: Yara matchFile source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPE
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO_7413.exe PID: 4636, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		Path Interception111
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		111
            Security Software Discovery            		Remote Services1
            Email Collection            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		1
            Credentials in Registry            		1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer11
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets1
            Account Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common3
            Software Packing            		Cached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Timestomp            		DCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem114
            System Information Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO_7413.exe31%ReversingLabsByteCode-MSIL.Trojan.Generic
            PO_7413.exe40%VirustotalBrowse
            PO_7413.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            2.2.PO_7413.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.carterandcone.comen0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.fontbureau.comalsF0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/roso0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fontbureau.comB.TTF0%URL Reputationsafe
            http://www.founder.com.cn/cns0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/.0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/T0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.fontbureau.com70%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.carterandcone.compef0%URL Reputationsafe
            http://www.fontbureau.comeded0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/T0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/K0%URL Reputationsafe
            http://www.carterandcone.comr0%URL Reputationsafe
            http://www.fontbureau.commK0%URL Reputationsafe
            http://www.fontbureau.comlic0%URL Reputationsafe
            http://www.carterandcone.coms0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.comd%0%Avira URL Cloudsafe
            http://www.sakkal.coms0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/x0%Avira URL Cloudsafe
            http://www.carterandcone.comms0%Avira URL Cloudsafe
            http://en.wu0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/g0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/on0%URL Reputationsafe
            http://en.wikip0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
            http://www.fontbureau.comdTTF0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
            http://www.fontbureau.comlvfet0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.comals0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
            http://www.fontbureau.comsiva70%Avira URL Cloudsafe
            http://www.carterandcone.comand0%URL Reputationsafe
            http://mail.printshopgt.com0%Avira URL Cloudsafe
            http://www.founder.com.cn/cntyp0%Avira URL Cloudsafe
            http://www.carterandcone.comJl0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.printshopgt.com
            		66.96.134.29
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.fontbureau.com/designersGPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThePO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.carterandcone.comenPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comd%PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.tiro.comPO_7413.exe, 00000000.00000003.310758013.000000000575F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comalsFPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/rosoPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cThePO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/7PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comsPO_7413.exe, 00000000.00000003.313407677.0000000005728000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comB.TTFPO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnsPO_7413.exe, 00000000.00000003.309955974.0000000005723000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309839200.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/xPO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/.PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleasePO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.commsPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://en.wuPO_7413.exe, 00000000.00000003.306402390.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306465269.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306497370.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306380254.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306358175.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fonts.comPO_7413.exe, 00000000.00000003.309091289.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307673660.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307412713.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308652862.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308603977.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308204869.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308127982.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308409074.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307090748.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307291691.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308973363.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308162888.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309149145.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307957109.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308292309.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308917042.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308460070.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307145904.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308862175.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307814144.000000000575F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.sandoll.co.krPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309358449.0000000000B1C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/TPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleasePO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com7PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.dePO_7413.exe, 00000000.00000003.314488615.000000000572C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comePO_7413.exe, 00000000.00000003.306497370.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/gPO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.compefPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comPO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314590924.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comededPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/PO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/TPO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/KPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comrPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.commKPO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comlicPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comsPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/onPO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://en.wikipPO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309639619.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comdPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comsiva7PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/PO_7413.exe, 00000000.00000003.310287732.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310370311.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310481524.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.printshopgt.comPO_7413.exe, 00000002.00000002.573339941.00000000029D9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310155887.000000000572D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/xPO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313437350.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/sPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comdTTFPO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.monotype.PO_7413.exe, 00000000.00000003.314712938.000000000572A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/oPO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comlvfetPO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.commPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalsPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/ePO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comJlPO_7413.exe, 00000000.00000003.312919072.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comandPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cntypPO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  66.96.134.29
                                  		mail.printshopgt.comUnited States
                                  		29873BIZLAND-SDUStrue

                                  General Information

                                  Joe Sandbox Version:37.0.0 Beryl
                                  Analysis ID:830617
                                  Start date and time:2023-03-20 14:46:21 +01:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 8m 40s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:6
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample file name:PO_7413.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@5/1@1/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 39
                                  • Number of non-executed functions: 3
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  14:47:25API Interceptor19x Sleep call for process: PO_7413.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  BIZLAND-SDUSQ5QuwXOwrT.elfGet hashmaliciousMiraiBrowse
                                  • 209.40.194.212
                                  Inquiry.exeGet hashmaliciousFormBookBrowse
                                  • 66.96.161.158
                                  ye5GHWJ8UG.exeGet hashmaliciousGrandcrab, GandcrabBrowse
                                  • 66.96.147.106
                                  Inquiry.exeGet hashmaliciousFormBookBrowse
                                  • 66.96.161.158
                                  SWIFT_Transfer.exeGet hashmaliciousAgentTeslaBrowse
                                  • 66.96.160.155
                                  3004566.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                  • 66.96.163.136
                                  gjvkyygg.exeGet hashmaliciousFormBookBrowse
                                  • 66.96.160.138
                                  Cotizaci#U00f3n_0595.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                  • 66.96.160.155
                                  rConsumerPO-4806125050.exeGet hashmaliciousAgentTeslaBrowse
                                  • 66.96.160.155
                                  INTHIST_230714122537.vbsGet hashmaliciousFormBookBrowse
                                  • 66.96.162.130
                                  Quotation 37099.exeGet hashmaliciousAgentTeslaBrowse
                                  • 66.96.160.155
                                  NSYRmSXD2r.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                  • 66.96.147.104
                                  T6F1W04v8G.exeGet hashmaliciousAgentTeslaBrowse
                                  • 66.96.147.104
                                  sora.arm.elfGet hashmaliciousMiraiBrowse
                                  • 209.59.226.169
                                  https://go2.israelandafrica.com/f/a/y5H0bDO4woHaMQouJjYlOfq~~/OMbOowf~/aHR0cDovL0N1cmF0ZWJpby5VU0VSaEJNWUkubXNibG9nZ2VyLmNvbS5hdS9qYXNvbi53YWxzaEBjdXJhdGViaW8uY29tGet hashmaliciousUnknownBrowse
                                  • 207.148.248.132
                                  fv7YxvEYO7.elfGet hashmaliciousMiraiBrowse
                                  • 209.59.226.190
                                  1jwI8qulgr.exeGet hashmaliciousFormBookBrowse
                                  • 66.96.162.147
                                  Halkbank_Ekstre_20191102_073809_405251-PDF.com.exeGet hashmaliciousFormBookBrowse
                                  • 66.96.162.149
                                  FedEx Express AWB#5305323204643.exeGet hashmaliciousFormBookBrowse
                                  • 66.96.147.160
                                  T.C.Ziraat Bankasi A.S_Ekstre_20191102_073809_405251-PDF.com.exeGet hashmaliciousFormBookBrowse
                                  • 66.96.162.149

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_7413.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\PO_7413.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.8746286820631415
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:PO_7413.exe
                                  File size:921600
                                  MD5:1b3b644b48693ffea0d42032e778906b
                                  SHA1:2a26e739cae611522e94853194499765aa7ba30c
                                  SHA256:79bcc176d961b06ff3f7af0000c16e8fae56cf03b504153e439ecbccfaa34bbf
                                  SHA512:5889b4312b50de48da9e57d0eeba34ffe7f552f9213168e968987150752c353ddf9191b421ef89ec32249002d261f252eb34870320d1cc61b630e8f0102ccad7
                                  SSDEEP:24576:FKUX6CbNDSMEBscggDeSOrwBNKDAsJvZ:pXZbIXBxeS5BNKr7
                                  TLSH:4A1502246BEB8326F6365BBD91A12682577E27A37703D68D1CF112CA4727B014FD132B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.................0..............%... ...@....@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x4e25aa
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0xE7AB8A5F [Sun Mar 1 20:49:35 2093 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe25580x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x58c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xe035c0x70.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xe05b00xe0600False0.936121387534819PGP symmetric key encrypted data - Plaintext or unencrypted data7.880495014103316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xe40000x58c0x600False0.4173177083333333data4.044715606987517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xe60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0xe40900x2fcdata
                                  RT_MANIFEST0xe439c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.566.96.134.29496905872839723 03/20/23-14:47:40.789390TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49690587192.168.2.566.96.134.29
                                  192.168.2.566.96.134.29496905872851779 03/20/23-14:47:40.789531TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49690587192.168.2.566.96.134.29
                                  192.168.2.566.96.134.29496905872840032 03/20/23-14:47:40.789531TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249690587192.168.2.566.96.134.29
                                  192.168.2.566.96.134.29496905872030171 03/20/23-14:47:40.789390TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49690587192.168.2.566.96.134.29

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 20, 2023 14:47:38.902317047 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.007510900 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.007812023 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.114033937 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.119223118 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.224498987 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.224586964 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.225270033 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.330396891 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.330877066 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.331320047 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.436825037 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.438386917 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.438667059 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.544048071 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.546717882 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.546988964 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.652383089 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.681462049 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.681699991 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.787223101 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.787426949 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.789390087 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.789530993 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.789588928 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.789647102 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.894815922 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.894861937 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.896704912 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:41.036768913 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.270958900 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.376615047 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:49:19.377424002 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:49:19.377515078 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:49:19.377933025 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.380515099 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.485925913 CET5874969066.96.134.29192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 20, 2023 14:47:38.769144058 CET5821853192.168.2.58.8.8.8
                                  Mar 20, 2023 14:47:38.882294893 CET53582188.8.8.8192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Mar 20, 2023 14:47:38.769144058 CET192.168.2.58.8.8.80x699aStandard query (0)mail.printshopgt.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Mar 20, 2023 14:47:38.882294893 CET8.8.8.8192.168.2.50x699aNo error (0)mail.printshopgt.com66.96.134.29A (IP address)IN (0x0001)false

                                  SMTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Mar 20, 2023 14:47:39.114033937 CET5874969066.96.134.29192.168.2.5220 ESMTP Mon, 20 Mar 2023 09:47:39 -0400: UCE strictly prohibited
                                  Mar 20, 2023 14:47:39.119223118 CET49690587192.168.2.566.96.134.29EHLO 367706
                                  Mar 20, 2023 14:47:39.224586964 CET5874969066.96.134.29192.168.2.5250-bosauthsmtp04.yourhostingaccount.com Hello 367706 [84.17.52.9]
                                  250-SIZE 34603008
                                  250-8BITMIME
                                  250-PIPELINING
                                  250-PIPE_CONNECT
                                  250-AUTH PLAIN LOGIN
                                  250-CHUNKING
                                  250-STARTTLS
                                  250 HELP
                                  Mar 20, 2023 14:47:39.225270033 CET49690587192.168.2.566.96.134.29AUTH login cmVjZXBjaW9uQHByaW50c2hvcGd0LmNvbQ==
                                  Mar 20, 2023 14:47:39.330877066 CET5874969066.96.134.29192.168.2.5334 UGFzc3dvcmQ6
                                  Mar 20, 2023 14:47:39.438386917 CET5874969066.96.134.29192.168.2.5235 Authentication succeeded
                                  Mar 20, 2023 14:47:39.438667059 CET49690587192.168.2.566.96.134.29MAIL FROM:<recepcion@printshopgt.com>
                                  Mar 20, 2023 14:47:39.546717882 CET5874969066.96.134.29192.168.2.5250 OK
                                  Mar 20, 2023 14:47:39.546988964 CET49690587192.168.2.566.96.134.29RCPT TO:<recepcion@printshopgt.com>
                                  Mar 20, 2023 14:47:40.681462049 CET5874969066.96.134.29192.168.2.5250 Accepted
                                  Mar 20, 2023 14:47:40.681699991 CET49690587192.168.2.566.96.134.29DATA
                                  Mar 20, 2023 14:47:40.787426949 CET5874969066.96.134.29192.168.2.5354 Enter message, ending with "." on a line by itself
                                  Mar 20, 2023 14:47:40.789647102 CET49690587192.168.2.566.96.134.29.
                                  Mar 20, 2023 14:47:40.896704912 CET5874969066.96.134.29192.168.2.5250 OK id=1peFrQ-00054x-Nh
                                  Mar 20, 2023 14:49:19.270958900 CET49690587192.168.2.566.96.134.29QUIT
                                  Mar 20, 2023 14:49:19.377424002 CET5874969066.96.134.29192.168.2.5221 bosauthsmtp04.yourhostingaccount.com closing connection

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:14:47:19
                                  Start date:20/03/2023
                                  Path:C:\Users\user\Desktop\PO_7413.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\PO_7413.exe
                                  Imagebase:0x10000
                                  File size:921600 bytes
                                  MD5 hash:1B3B644B48693FFEA0D42032E778906B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:low

                                  General

                                  Target ID:1
                                  Start time:14:47:27
                                  Start date:20/03/2023
                                  Path:C:\Users\user\Desktop\PO_7413.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\Desktop\PO_7413.exe
                                  Imagebase:0x80000
                                  File size:921600 bytes
                                  MD5 hash:1B3B644B48693FFEA0D42032E778906B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  General

                                  Target ID:2
                                  Start time:14:47:27
                                  Start date:20/03/2023
                                  Path:C:\Users\user\Desktop\PO_7413.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\PO_7413.exe
                                  Imagebase:0x4d0000
                                  File size:921600 bytes
                                  MD5 hash:1B3B644B48693FFEA0D42032E778906B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:14.3%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:93
                                    Total number of Limit Nodes:7
                                    execution_graph 10152 a9fdb8 10153 a9fe20 CreateWindowExW 10152->10153 10155 a9fedc 10153->10155 10156 a9b978 DuplicateHandle 10157 a9ba0e 10156->10157 10158 a99930 10159 a99978 GetModuleHandleW 10158->10159 10160 a99972 10158->10160 10161 a999a5 10159->10161 10160->10159 10162 a940d0 10163 a940e2 10162->10163 10164 a940ee 10163->10164 10168 a941e0 10163->10168 10173 a93c64 10164->10173 10166 a9410d 10169 a94205 10168->10169 10177 a942e0 10169->10177 10181 a942d0 10169->10181 10174 a93c6f 10173->10174 10189 a951a4 10174->10189 10176 a96ad5 10176->10166 10179 a94307 10177->10179 10178 a943e4 10178->10178 10179->10178 10185 a93de4 10179->10185 10183 a942e0 10181->10183 10182 a943e4 10183->10182 10184 a93de4 CreateActCtxA 10183->10184 10184->10182 10186 a95370 CreateActCtxA 10185->10186 10188 a95433 10186->10188 10190 a951af 10189->10190 10193 a957f8 10190->10193 10192 a96b7d 10192->10176 10194 a95803 10193->10194 10197 a95828 10194->10197 10196 a96c5a 10196->10192 10198 a95833 10197->10198 10201 a95858 10198->10201 10200 a96d4a 10200->10196 10202 a95863 10201->10202 10203 a9749c 10202->10203 10205 a9b370 10202->10205 10203->10200 10206 a9b3a1 10205->10206 10207 a9b3c5 10206->10207 10210 a9b638 10206->10210 10214 a9b627 10206->10214 10207->10203 10211 a9b645 10210->10211 10212 a9b67f 10211->10212 10218 a99838 10211->10218 10212->10207 10215 a9b645 10214->10215 10216 a9b67f 10215->10216 10217 a99838 LoadLibraryExW 10215->10217 10216->10207 10217->10216 10219 a99843 10218->10219 10220 a9c378 10219->10220 10222 a99900 10219->10222 10223 a9990b 10222->10223 10224 a95858 LoadLibraryExW 10223->10224 10225 a9c3e7 10224->10225 10229 a9e158 10225->10229 10235 a9e168 10225->10235 10226 a9c420 10226->10220 10231 a9e1e5 10229->10231 10232 a9e199 10229->10232 10230 a9e1a5 10230->10226 10231->10226 10232->10230 10233 a9e5e8 LoadLibraryExW 10232->10233 10234 a9e5d8 LoadLibraryExW 10232->10234 10233->10231 10234->10231 10237 a9e1e5 10235->10237 10238 a9e199 10235->10238 10236 a9e1a5 10236->10226 10237->10226 10238->10236 10239 a9e5e8 LoadLibraryExW 10238->10239 10240 a9e5d8 LoadLibraryExW 10238->10240 10239->10237 10240->10237 10241 a9b750 GetCurrentProcess 10242 a9b7ca GetCurrentThread 10241->10242 10243 a9b7c3 10241->10243 10244 a9b800 10242->10244 10245 a9b807 GetCurrentProcess 10242->10245 10243->10242 10244->10245 10246 a9b83d 10245->10246 10247 a9b865 GetCurrentThreadId 10246->10247 10248 a9b896 10247->10248 10249 a99250 10250 a9925f 10249->10250 10253 a99339 10249->10253 10257 a99348 10249->10257 10254 a9935b 10253->10254 10255 a9936b 10254->10255 10261 a999d8 10254->10261 10255->10250 10258 a9935b 10257->10258 10259 a9936b 10258->10259 10260 a999d8 LoadLibraryExW 10258->10260 10259->10250 10260->10259 10262 a999ec 10261->10262 10264 a99a11 10262->10264 10265 a99538 10262->10265 10264->10255 10266 a99bb8 LoadLibraryExW 10265->10266 10268 a99c31 10266->10268 10268->10264

                                    Executed Functions

                                    Function 00A9B750 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00A9B7B0
                                    • GetCurrentThread.KERNEL32 ref: 00A9B7ED
                                    • GetCurrentProcess.KERNEL32 ref: 00A9B82A
                                    • GetCurrentThreadId.KERNEL32 ref: 00A9B883
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 7ab9644347370ff22118eb2f9a1992853587a9661672932282c1affe159436d5
                                    • Instruction ID: 25ca2e94945f8dd77a097f2c0099823a52be126ede78027af0f1b9bf1efb7979
                                    • Opcode Fuzzy Hash: 7ab9644347370ff22118eb2f9a1992853587a9661672932282c1affe159436d5
                                    • Instruction Fuzzy Hash: AC5144B0D006498FDB14CFAADA48B9EBBF0BF88304F248469E019A7360DBB45944CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A9FDB8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 19 a9fdb8-a9fe1e 20 a9fe29-a9fe30 19->20 21 a9fe20-a9fe26 19->21 22 a9fe3b-a9feda CreateWindowExW 20->22 23 a9fe32-a9fe38 20->23 21->20 25 a9fedc-a9fee2 22->25 26 a9fee3-a9ff1b 22->26 23->22 25->26 30 a9ff28 26->30 31 a9ff1d-a9ff20 26->31 31->30
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A9FECA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 97b54375c29677a860cc02d3c3151bacc3d3ca166718b32ed84eedf0c8ae9bc9
                                    • Instruction ID: d697c482d04b24fde2bf62e3844787598cfa5200b7603c3df1ca5c59e847e673
                                    • Opcode Fuzzy Hash: 97b54375c29677a860cc02d3c3151bacc3d3ca166718b32ed84eedf0c8ae9bc9
                                    • Instruction Fuzzy Hash: 0141CEB1D003099FDF14CF9AC984ADEBBF5BF48710F24812AE819AB250D774A985CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A93DE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 32 a93de4-a95431 CreateActCtxA 35 a9543a-a95494 32->35 36 a95433-a95439 32->36 43 a954a3-a954a7 35->43 44 a95496-a95499 35->44 36->35 45 a954a9-a954b5 43->45 46 a954b8 43->46 44->43 45->46 48 a954b9 46->48 48->48
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00A95421
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: b2b952dafc8518090e090376f1348fc961059518b5f3d6dfd4f5a43f850c79eb
                                    • Instruction ID: c4eb8cb079e10b08f9e15a457a8ef05d141023bb7a9dd2061b478667e56225f3
                                    • Opcode Fuzzy Hash: b2b952dafc8518090e090376f1348fc961059518b5f3d6dfd4f5a43f850c79eb
                                    • Instruction Fuzzy Hash: E341F171D00718CFDB24DFA9C845B9EBBF5BF88704F20806AD408AB251DBB56985CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A9536E Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 49 a9536e 50 a95370-a95431 CreateActCtxA 49->50 52 a9543a-a95494 50->52 53 a95433-a95439 50->53 60 a954a3-a954a7 52->60 61 a95496-a95499 52->61 53->52 62 a954a9-a954b5 60->62 63 a954b8 60->63 61->60 62->63 65 a954b9 63->65 65->65
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00A95421
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 52b3b64e259438bcf4cba043e04de2915d8bd22f7a81f296d2de5aa4dc19cc15
                                    • Instruction ID: 08f6dfc75973cef9f2420df71c7d768ef7753d9d9cb9fcf6ba39373a28c83955
                                    • Opcode Fuzzy Hash: 52b3b64e259438bcf4cba043e04de2915d8bd22f7a81f296d2de5aa4dc19cc15
                                    • Instruction Fuzzy Hash: C841F271D00718CEDB24DFA9C845BCEBBF5BF88704F20806AD418AB251DBB56985CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A9B978 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 66 a9b978-a9ba0c DuplicateHandle 67 a9ba0e-a9ba14 66->67 68 a9ba15-a9ba32 66->68 67->68
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9B9FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 70a421589f2593666ae2b0050d692e8990ec166b7e31026889068bff816f893b
                                    • Instruction ID: a75779dd591d99d57ed655a77bb5786865f13bf6fe8f4120c20771a0cdb171b8
                                    • Opcode Fuzzy Hash: 70a421589f2593666ae2b0050d692e8990ec166b7e31026889068bff816f893b
                                    • Instruction Fuzzy Hash: 2D21B0B59002499FDB10CFAAD984ADEBBF8EB48324F14841AE914A7310D378A944CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A99538 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 71 a99538-a99bf8 73 a99bfa-a99bfd 71->73 74 a99c00-a99c2f LoadLibraryExW 71->74 73->74 75 a99c38-a99c55 74->75 76 a99c31-a99c37 74->76 76->75
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A99A11,00000800,00000000,00000000), ref: 00A99C22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 33274ba205c508ffe06941bea6090b80bb7ef8aff6b038094f86a0ba1d26d161
                                    • Instruction ID: c5b2e2d5ba6aa425f86bcc6cd4e62953424700533fdc1a821f2cc1c8c6ce0d59
                                    • Opcode Fuzzy Hash: 33274ba205c508ffe06941bea6090b80bb7ef8aff6b038094f86a0ba1d26d161
                                    • Instruction Fuzzy Hash: 2111D3B69002099FDF10DF9AD944ADFFBF4EB48720F14846ED415A7600C7B8A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A99930 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 79 a99930-a99970 80 a99978-a999a3 GetModuleHandleW 79->80 81 a99972-a99975 79->81 82 a999ac-a999c0 80->82 83 a999a5-a999ab 80->83 81->80 83->82
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00A99996
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 9a61712f962965e21ddf94dfb79614d23f47bad3e30c7acbf0c25a1e3b8c1d91
                                    • Instruction ID: f9c072d153576d9de5ca858f732251c272c237e265c3bcd47dadd2d1f197af2b
                                    • Opcode Fuzzy Hash: 9a61712f962965e21ddf94dfb79614d23f47bad3e30c7acbf0c25a1e3b8c1d91
                                    • Instruction Fuzzy Hash: B7110FB6D002098FDB10CF9AC544ADEFBF4AB88320F14842ED419B7210C379A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008AD4C4 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327007162.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8ad000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1c7afc966e9f237c3111b0e2c9db626e4631a3eebd3ab663a68ab6e3312cda31
                                    • Instruction ID: d5517bed09768602ea51e08509f89182228779540dd0ba34eb4dded5998315fd
                                    • Opcode Fuzzy Hash: 1c7afc966e9f237c3111b0e2c9db626e4631a3eebd3ab663a68ab6e3312cda31
                                    • Instruction Fuzzy Hash: 95213771904344DFEB15DF14D9C0B26BF65FB88328F24C569E806CBA46C336D846DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008BD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327096784.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8bd000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fc8bed36a48374bba407417a9a2e38d41b18b54c6b7ebbb35df4a6faccf37da6
                                    • Instruction ID: 471040387faf7b3240766443f7331ba3c75240b3a178b551fdaa95b34c996372
                                    • Opcode Fuzzy Hash: fc8bed36a48374bba407417a9a2e38d41b18b54c6b7ebbb35df4a6faccf37da6
                                    • Instruction Fuzzy Hash: 7921F275604744EFDB14EF14D9C0B56BBA5FB88328F24C9A9D8098B346D33AD847CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008BD1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327096784.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8bd000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 03246692ade5fdf50316cc4998f65dac7e16ecd4c6d6617eeb5b6a689a981135
                                    • Instruction ID: 097dd9bdfe91e6fa3a73baece06acf9cf56e64018ca75129cc953e9fb2733764
                                    • Opcode Fuzzy Hash: 03246692ade5fdf50316cc4998f65dac7e16ecd4c6d6617eeb5b6a689a981135
                                    • Instruction Fuzzy Hash: 92210475504384EFDB05DF14D9C0B66BBA5FB84318F24CAADE8098B346D33AE846CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008BD006 Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327096784.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8bd000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56cb30f1c32656761e74edf096eedc134720c3996c0fb8d20c41ce79c00c62ed
                                    • Instruction ID: 235777bdeb69c74032b91aaf9f12d53f4201286ed3c330915c132b07f58e6b3e
                                    • Opcode Fuzzy Hash: 56cb30f1c32656761e74edf096eedc134720c3996c0fb8d20c41ce79c00c62ed
                                    • Instruction Fuzzy Hash: 48217F755087809FCB02DF14D994B11BFB1FB46314F28C5EAD8498B2A6D33AD85ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008AD4BF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327007162.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8ad000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                    • Instruction ID: a3263039c54cba921e421f6928677f9cd22c5d334b0f9354746e791d91f7cf9e
                                    • Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                    • Instruction Fuzzy Hash: 3311E676904380CFDB12CF14D5C4B16BF71FB84324F28C6A9D8458BA56C336D856CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008BD1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327096784.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8bd000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                    • Instruction ID: 1b0428887442449a7569aa81a1a432ce4515700f92b556eab7cb9259d4578ea1
                                    • Opcode Fuzzy Hash: f45dc8ffff706fb05bcde3a42111e7466e20ebf3dc7f5347bf588368a02ed7e4
                                    • Instruction Fuzzy Hash: FB117975904280EFDB12CF14D5C4B55BBA2FB84324F28C6A9D8498B756D33AE84ACB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008AD5D9 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327007162.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8ad000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 508677dcf753f027aa40af651d0e86b9d4c568b7c523b1f2c12ecf67aedbf99f
                                    • Instruction ID: 3efb90ec0ab526d939ef1f7a8493c8c538b79264df7cae914f3c829180702023
                                    • Opcode Fuzzy Hash: 508677dcf753f027aa40af651d0e86b9d4c568b7c523b1f2c12ecf67aedbf99f
                                    • Instruction Fuzzy Hash: 4901F7724043449AF7104A1ADC84766FFD8FF52734F18855AED0ADAE46C3799840CAF1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 008AD5D8 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327007162.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8ad000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b156abc01a6ab7b7a3a6fca821bebea423251bf65bd96f745ddd4cf7b88ccf46
                                    • Instruction ID: 0fa3d03344ac6901088de6fa6cf90032125173e6e4f295ac1344237614043d3f
                                    • Opcode Fuzzy Hash: b156abc01a6ab7b7a3a6fca821bebea423251bf65bd96f745ddd4cf7b88ccf46
                                    • Instruction Fuzzy Hash: 7CF062724043449EE7108A16DD84B62FFE8EF91734F18C55AED099BA86C3799C44CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00A9E630 Relevance: .3, Instructions: 315COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9334d0c3d1e14b7426078fd5f56997371b61ce381212a10b99475fa76c0af07b
                                    • Instruction ID: dc83ce4e03449c2faadaf8c7faa54d61fa3cf6a0af19e47ec319b14496715c1b
                                    • Opcode Fuzzy Hash: 9334d0c3d1e14b7426078fd5f56997371b61ce381212a10b99475fa76c0af07b
                                    • Instruction Fuzzy Hash: 0C12A4F1C11F468AD714CFB6EC9C9893BA1B7553A8B924308E2612A6F0D7B425CBCF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A9C1E4 Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2095cbf25406165f5079ea11b72321fc8cb91c3a800a70456b1b8d301e7b7da4
                                    • Instruction ID: 3509a3aa91d81a577aa9b1b3d7121952202e1dd98f0090345c1e4da26d33b0c7
                                    • Opcode Fuzzy Hash: 2095cbf25406165f5079ea11b72321fc8cb91c3a800a70456b1b8d301e7b7da4
                                    • Instruction Fuzzy Hash: 0CA15D32F0061A8FCF15DFB5C9449DEBBF2FF89300B15856AE805AB261EB31A955CB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A9E620 Relevance: .2, Instructions: 223COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.327412564.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a90000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c1960211f1cfa1e946eb37c7fd115a3baef64666e94869a4662f71daf6a8f004
                                    • Instruction ID: 649cf6b2e77e4ba3a7f5e9eeb1b7c5c66c94af6ea452f0e5da319bcc1be6dc68
                                    • Opcode Fuzzy Hash: c1960211f1cfa1e946eb37c7fd115a3baef64666e94869a4662f71daf6a8f004
                                    • Instruction Fuzzy Hash: 69C106B1C11B468AD714CFB6EC889897BA1BB85364F524309E1616B6F0DBB435CBCF84
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:13%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:2.1%
                                    Total number of Nodes:144
                                    Total number of Limit Nodes:7
                                    execution_graph 33252 600dbc0 33253 600dec8 33252->33253 33254 600dbe8 33252->33254 33255 600dbf1 33254->33255 33258 600d054 33254->33258 33257 600dc14 33259 600d05f 33258->33259 33261 600df0b 33259->33261 33262 600d070 33259->33262 33261->33257 33263 600df40 OleInitialize 33262->33263 33264 600dfa4 33263->33264 33264->33261 33265 6004450 33267 600447a 33265->33267 33266 6004521 33266->33266 33267->33266 33270 6005608 33267->33270 33273 60055ef 33267->33273 33277 6004b54 33270->33277 33274 6005604 33273->33274 33275 600563d 33274->33275 33276 6004b54 CreateWindowExW 33274->33276 33275->33266 33276->33275 33278 60056e8 CreateWindowExW 33277->33278 33280 600580c 33278->33280 33350 6003160 33351 600316a 33350->33351 33355 60031b0 33350->33355 33366 60031a7 33350->33366 33378 60031a2 33350->33378 33356 60031c3 33355->33356 33361 60031b0 4 API calls 33355->33361 33362 60031a2 4 API calls 33355->33362 33363 60031a7 4 API calls 33355->33363 33357 60031db 33356->33357 33390 6003428 33356->33390 33395 6003438 33356->33395 33357->33351 33358 60031d3 33358->33357 33359 60033d8 GetModuleHandleW 33358->33359 33360 6003405 33359->33360 33360->33351 33361->33356 33362->33356 33363->33356 33367 60031b0 33366->33367 33368 60031c3 33367->33368 33373 60031b0 4 API calls 33367->33373 33374 60031a2 4 API calls 33367->33374 33375 60031a7 4 API calls 33367->33375 33369 60031db 33368->33369 33376 6003428 2 API calls 33368->33376 33377 6003438 2 API calls 33368->33377 33369->33351 33370 60031d3 33370->33369 33371 60033d8 GetModuleHandleW 33370->33371 33372 6003405 33371->33372 33372->33351 33373->33368 33374->33368 33375->33368 33376->33370 33377->33370 33379 60031ac 33378->33379 33385 60031b0 4 API calls 33379->33385 33386 60031a2 4 API calls 33379->33386 33387 60031a7 4 API calls 33379->33387 33380 60031c3 33381 60031db 33380->33381 33388 6003428 2 API calls 33380->33388 33389 6003438 2 API calls 33380->33389 33381->33351 33382 60031d3 33382->33381 33383 60033d8 GetModuleHandleW 33382->33383 33384 6003405 33383->33384 33384->33351 33385->33380 33386->33380 33387->33380 33388->33382 33389->33382 33392 6003438 33390->33392 33391 6003471 33391->33358 33392->33391 33400 60035f7 33392->33400 33404 60035f8 33392->33404 33397 600344c 33395->33397 33396 6003471 33396->33358 33397->33396 33398 60035f7 LoadLibraryExW 33397->33398 33399 60035f8 LoadLibraryExW 33397->33399 33398->33396 33399->33396 33401 6003640 LoadLibraryExW 33400->33401 33402 600363a 33400->33402 33403 6003671 33401->33403 33402->33401 33403->33391 33405 6003640 LoadLibraryExW 33404->33405 33406 600363a 33404->33406 33407 6003671 33405->33407 33406->33405 33407->33391 33281 c8d01c 33282 c8d034 33281->33282 33283 c8d08e 33282->33283 33289 60058a0 33282->33289 33293 600589f 33282->33293 33297 600588f 33282->33297 33301 6004b7c 33282->33301 33310 6008cf8 33282->33310 33290 60058c6 33289->33290 33291 6004b7c CallWindowProcW 33290->33291 33292 60058e7 33291->33292 33292->33283 33294 60058c6 33293->33294 33295 6004b7c CallWindowProcW 33294->33295 33296 60058e7 33295->33296 33296->33283 33298 600589c 33297->33298 33299 6004b7c CallWindowProcW 33298->33299 33300 60058e7 33299->33300 33300->33283 33302 6004b87 33301->33302 33303 6008d69 33302->33303 33305 6008d59 33302->33305 33306 6008d67 33303->33306 33335 6004d0c 33303->33335 33319 6008e80 33305->33319 33324 6008f5c 33305->33324 33330 6008e90 33305->33330 33311 6008cff 33310->33311 33312 6008d69 33311->33312 33314 6008d59 33311->33314 33313 6004d0c CallWindowProcW 33312->33313 33315 6008d67 33312->33315 33313->33315 33316 6008e80 CallWindowProcW 33314->33316 33317 6008e90 CallWindowProcW 33314->33317 33318 6008f5c CallWindowProcW 33314->33318 33316->33315 33317->33315 33318->33315 33320 6008e87 33319->33320 33339 6008f38 33320->33339 33343 6008f48 33320->33343 33321 6008f30 33321->33306 33325 6008f1a 33324->33325 33326 6008f6a 33324->33326 33328 6008f38 CallWindowProcW 33325->33328 33329 6008f48 CallWindowProcW 33325->33329 33327 6008f30 33327->33306 33328->33327 33329->33327 33332 6008ea4 33330->33332 33331 6008f30 33331->33306 33333 6008f38 CallWindowProcW 33332->33333 33334 6008f48 CallWindowProcW 33332->33334 33333->33331 33334->33331 33336 6004d17 33335->33336 33337 600b54a CallWindowProcW 33336->33337 33338 600b4f9 33336->33338 33337->33338 33338->33306 33340 6008f48 33339->33340 33341 6008f59 33340->33341 33346 600b480 33340->33346 33341->33321 33344 600b480 CallWindowProcW 33343->33344 33345 6008f59 33343->33345 33344->33345 33345->33321 33347 600b487 33346->33347 33348 6004d0c CallWindowProcW 33347->33348 33349 600b49a 33348->33349 33349->33341 33408 ce5a70 33409 ce5a8e 33408->33409 33412 ce48fc 33409->33412 33411 ce5ac5 33415 ce7590 33412->33415 33413 ce764a LoadLibraryA 33414 ce7689 33413->33414 33415->33413 33415->33415 33416 cef670 33418 cef675 GetUserNameW 33416->33418 33419 cef7bd 33418->33419 33420 5cf9eb0 33421 5cf9ec5 33420->33421 33422 5cfa110 33421->33422 33423 5cfa530 GlobalMemoryStatusEx 33421->33423 33423->33421

                                    Executed Functions

                                    Function 00CEF670 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 558 cef670-cef6cf 560 cef73a-cef73e 558->560 561 cef6d1-cef6fc 558->561 562 cef769-cef774 560->562 563 cef740-cef763 560->563 569 cef6fe-cef700 561->569 570 cef72c 561->570 564 cef776-cef77e 562->564 565 cef780-cef7bb GetUserNameW 562->565 563->562 564->565 567 cef7bd-cef7c3 565->567 568 cef7c4-cef7da 565->568 567->568 574 cef7dc-cef7e8 568->574 575 cef7f0-cef817 568->575 572 cef722-cef72a 569->572 573 cef702-cef70c 569->573 576 cef731-cef734 570->576 572->576 578 cef70e 573->578 579 cef710-cef71e 573->579 574->575 584 cef819-cef81d 575->584 585 cef827 575->585 576->560 578->579 579->579 582 cef720 579->582 582->572 584->585 586 cef81f 584->586 587 cef828 585->587 586->585 587->587
                                    APIs
                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00CEF7AB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.570261312.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ce0000_PO_7413.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 311f4350e64bfcafd5d8c87fe73a0f8d6b4efa4023b0fa8c33c0fe3670544149
                                    • Instruction ID: 7e40d2805d5e0cf53c931aa973ef0aa005362889b89b0df1880b3ecbd23368b6
                                    • Opcode Fuzzy Hash: 311f4350e64bfcafd5d8c87fe73a0f8d6b4efa4023b0fa8c33c0fe3670544149
                                    • Instruction Fuzzy Hash: 11512575D002588FDB14CFAAD888B9DBBB1BF48310F15812ED815AB391D7B4A946CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 060031B0 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 437 60031b0-60031b8 438 60031c3-60031c5 437->438 487 60031be call 60031b0 437->487 488 60031be call 60031a2 437->488 489 60031be call 60031a7 437->489 439 60031c7 438->439 440 60031db-60031df 438->440 490 60031cd call 6003428 439->490 491 60031cd call 6003438 439->491 441 60031e1-60031eb 440->441 442 60031f3-6003234 440->442 441->442 447 6003241-600324f 442->447 448 6003236-600323e 442->448 443 60031d3-60031d5 443->440 444 6003310-60033d0 443->444 480 60033d2-60033d5 444->480 481 60033d8-6003403 GetModuleHandleW 444->481 449 6003251-6003256 447->449 450 6003273-6003275 447->450 448->447 452 6003261 449->452 453 6003258-600325f 449->453 454 6003278-600327f 450->454 458 6003263-6003271 452->458 453->458 456 6003281-6003289 454->456 457 600328c-6003293 454->457 456->457 460 60032a0-60032a9 457->460 461 6003295-600329d 457->461 458->454 465 60032b6-60032bb 460->465 466 60032ab-60032b3 460->466 461->460 467 60032d9-60032dd 465->467 468 60032bd-60032c4 465->468 466->465 485 60032e0 call 60036e8 467->485 486 60032e0 call 60036f8 467->486 468->467 469 60032c6-60032d6 468->469 469->467 471 60032e3-60032e6 473 60032e8-6003306 471->473 474 6003309-600330f 471->474 473->474 480->481 482 6003405-600340b 481->482 483 600340c-6003420 481->483 482->483 485->471 486->471 487->438 488->438 489->438 490->443 491->443
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 060033F6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 97de9533be76e6b2521ad01129bb15380a5fcfdf12246e606411e9098ea618f6
                                    • Instruction ID: b9de98460c26020fc4cff41502274f935ad0ea45f744b2667438053b87de5f2a
                                    • Opcode Fuzzy Hash: 97de9533be76e6b2521ad01129bb15380a5fcfdf12246e606411e9098ea618f6
                                    • Instruction Fuzzy Hash: 8C714670A00B059FE7A8DF6AD44576ABBF1BF88304F10892DD48ADBA50DB75F845CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CEF611 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 492 cef611-cef618 493 cef61a-cef65b 492->493 494 cef675-cef6cf 492->494 493->494 495 cef73a-cef73e 494->495 496 cef6d1-cef6fc 494->496 498 cef769-cef774 495->498 499 cef740-cef763 495->499 505 cef6fe-cef700 496->505 506 cef72c 496->506 500 cef776-cef77e 498->500 501 cef780-cef7bb GetUserNameW 498->501 499->498 500->501 503 cef7bd-cef7c3 501->503 504 cef7c4-cef7da 501->504 503->504 511 cef7dc-cef7e8 504->511 512 cef7f0-cef817 504->512 509 cef722-cef72a 505->509 510 cef702-cef70c 505->510 513 cef731-cef734 506->513 509->513 515 cef70e 510->515 516 cef710-cef71e 510->516 511->512 522 cef819-cef81d 512->522 523 cef827 512->523 513->495 515->516 516->516 520 cef720 516->520 520->509 522->523 524 cef81f 522->524 525 cef828 523->525 524->523 525->525
                                    APIs
                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00CEF7AB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.570261312.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ce0000_PO_7413.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: b4ebcadcf331386598bf59152d22dd6baa0ff115d6bb7db5d0396fcea3f2dc94
                                    • Instruction ID: 5b2eba7411e1b34a7368b3f322a4759ab5d42fce42269bb0b60af96bb5ef7e1a
                                    • Opcode Fuzzy Hash: b4ebcadcf331386598bf59152d22dd6baa0ff115d6bb7db5d0396fcea3f2dc94
                                    • Instruction Fuzzy Hash: 03517770E00258CFDB14CFAAD88479DBBB1BF88300F15802EE819AB391C774A946CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CEF664 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 526 cef664-cef666 527 cef668-cef66d 526->527 527->527 528 cef66f-cef6cf 527->528 530 cef73a-cef73e 528->530 531 cef6d1-cef6fc 528->531 532 cef769-cef774 530->532 533 cef740-cef763 530->533 539 cef6fe-cef700 531->539 540 cef72c 531->540 534 cef776-cef77e 532->534 535 cef780-cef7bb GetUserNameW 532->535 533->532 534->535 537 cef7bd-cef7c3 535->537 538 cef7c4-cef7da 535->538 537->538 544 cef7dc-cef7e8 538->544 545 cef7f0-cef817 538->545 542 cef722-cef72a 539->542 543 cef702-cef70c 539->543 546 cef731-cef734 540->546 542->546 548 cef70e 543->548 549 cef710-cef71e 543->549 544->545 554 cef819-cef81d 545->554 555 cef827 545->555 546->530 548->549 549->549 552 cef720 549->552 552->542 554->555 556 cef81f 554->556 557 cef828 555->557 556->555 557->557
                                    APIs
                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00CEF7AB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.570261312.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ce0000_PO_7413.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: a18cf27c033598f6a6599a712b3eb7cf91760c22a2bff1bf9994df4537b81c47
                                    • Instruction ID: a293c459aeeff70689d83a52360cbd4b7350193c031f865acadca9f9e1cee105
                                    • Opcode Fuzzy Hash: a18cf27c033598f6a6599a712b3eb7cf91760c22a2bff1bf9994df4537b81c47
                                    • Instruction Fuzzy Hash: CF5107B5E00258CFDB14CFAAD88879DBBB1BF48314F15812EE815AB391D7B49946CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05CFBFB8 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 699 5cfbfb8-5cfbfd3 701 5cfbffd-5cfc01c call 5cfade8 699->701 702 5cfbfd5-5cfbffc call 5cfaddc 699->702 708 5cfc01e-5cfc021 701->708 709 5cfc022-5cfc081 701->709 716 5cfc087-5cfc114 GlobalMemoryStatusEx 709->716 717 5cfc083-5cfc086 709->717 720 5cfc11d-5cfc145 716->720 721 5cfc116-5cfc11c 716->721 721->720
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578014228.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5cf0000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2337520b725cb90fee840403b8d561872f83e09b772ecd21c22dfb02f5eb17d8
                                    • Instruction ID: 965146cdf70a7734e34c6604c8fa5c8e5e9341117cc4656ff083c86bccd4402a
                                    • Opcode Fuzzy Hash: 2337520b725cb90fee840403b8d561872f83e09b772ecd21c22dfb02f5eb17d8
                                    • Instruction Fuzzy Hash: 00412272E143898FCB00DBA9D4446EEBFB1BF89310F04856BE409A7250DB789881CBD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06004B38 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 724 6004b38-600574e 729 6005750-6005756 724->729 730 6005759-6005760 724->730 729->730 731 6005762-6005768 730->731 732 600576b-60057a3 730->732 731->732 733 60057ab-600580a CreateWindowExW 732->733 734 6005813-600584b 733->734 735 600580c-6005812 733->735 739 6005858 734->739 740 600584d-6005850 734->740 735->734 741 6005859 739->741 740->739 741->741
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060057FA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 4310384e9cb65d89a8074d63413c1f7f06219886a2be9c101a10fabc55b01def
                                    • Instruction ID: 71ca101db1f6017fc15b656d1d84bad9d85ff4146e8b4c015b748cbffd628926
                                    • Opcode Fuzzy Hash: 4310384e9cb65d89a8074d63413c1f7f06219886a2be9c101a10fabc55b01def
                                    • Instruction Fuzzy Hash: 715102B1C00309DFEB15CFA9D980ADEBFB5BF48310F24812AE819AB250D7749885CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06004B54 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 742 6004b54-600574e 744 6005750-6005756 742->744 745 6005759-6005760 742->745 744->745 746 6005762-6005768 745->746 747 600576b-600580a CreateWindowExW 745->747 746->747 749 6005813-600584b 747->749 750 600580c-6005812 747->750 754 6005858 749->754 755 600584d-6005850 749->755 750->749 756 6005859 754->756 755->754 756->756
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060057FA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 9b5b22b031c858b0b1b73a77f9380470372e9b16f848ba28c6d2e5338e8323fb
                                    • Instruction ID: b393a6bf679c1895a30208aa294f22f2bd10f14ed41a2d21baff8ac93f5a2eac
                                    • Opcode Fuzzy Hash: 9b5b22b031c858b0b1b73a77f9380470372e9b16f848ba28c6d2e5338e8323fb
                                    • Instruction Fuzzy Hash: 2651C0B1D10309DFEB15CF9AD984ADEBFB5BF48710F24812AE819AB250D7749885CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 060056E7 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 757 60056e7-600574e 758 6005750-6005756 757->758 759 6005759-6005760 757->759 758->759 760 6005762-6005768 759->760 761 600576b-60057a3 759->761 760->761 762 60057ab-600580a CreateWindowExW 761->762 763 6005813-600584b 762->763 764 600580c-6005812 762->764 768 6005858 763->768 769 600584d-6005850 763->769 764->763 770 6005859 768->770 769->768 770->770
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060057FA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 393e9fe2fa2812f0d28f85c510e6a67f7583c49e2bd3c69bcf49bc343b3710f5
                                    • Instruction ID: 1dffd27e7ff0a534d5c92ee05f4ba419af430d482ed6e45b355334b4d6562373
                                    • Opcode Fuzzy Hash: 393e9fe2fa2812f0d28f85c510e6a67f7583c49e2bd3c69bcf49bc343b3710f5
                                    • Instruction Fuzzy Hash: A041EFB1D10309DFEB15CF99D984ADEBFB5BF48310F24812AE819AB250D7749885CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CE7584 Relevance: 1.6, APIs: 1, Instructions: 106libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 771 ce7584-ce7588 772 ce758a-ce75bf 771->772 773 ce75c0-ce75e7 771->773 772->773 774 ce763b-ce7687 LoadLibraryA 773->774 775 ce75e9-ce760e 773->775 778 ce7689-ce768f 774->778 779 ce7690-ce76c1 774->779 775->774 780 ce7610-ce7612 775->780 778->779 785 ce76c3-ce76c7 779->785 786 ce76d1 779->786 782 ce7614-ce761e 780->782 783 ce7635-ce7638 780->783 787 ce7622-ce7631 782->787 788 ce7620 782->788 783->774 785->786 789 ce76c9 785->789 791 ce76d2 786->791 787->787 790 ce7633 787->790 788->787 789->786 790->783 791->791
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 00CE7677
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.570261312.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ce0000_PO_7413.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 057a1d44202ce7f798845a915ee3efbbb54d5073fcf49620ee4d586abef99abf
                                    • Instruction ID: 62d3e7c3f2962d9493ebbe17548432ff6b780da78ace202c5e2522a5c8b0b2de
                                    • Opcode Fuzzy Hash: 057a1d44202ce7f798845a915ee3efbbb54d5073fcf49620ee4d586abef99abf
                                    • Instruction Fuzzy Hash: FC418CB0D046888FDB10CFAAD88579DBFF5FB48304F10812AE858AB240D7745846CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CE48FC Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 792 ce48fc-ce75e7 794 ce763b-ce7687 LoadLibraryA 792->794 795 ce75e9-ce760e 792->795 798 ce7689-ce768f 794->798 799 ce7690-ce76c1 794->799 795->794 800 ce7610-ce7612 795->800 798->799 805 ce76c3-ce76c7 799->805 806 ce76d1 799->806 802 ce7614-ce761e 800->802 803 ce7635-ce7638 800->803 807 ce7622-ce7631 802->807 808 ce7620 802->808 803->794 805->806 809 ce76c9 805->809 811 ce76d2 806->811 807->807 810 ce7633 807->810 808->807 809->806 810->803 811->811
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 00CE7677
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.570261312.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_ce0000_PO_7413.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 0578ab3a45ddd83db25ed1639278925b4458dbb1453af53d3f18daeb2c6f7ba2
                                    • Instruction ID: 174158e0ee153204aabe4967de5faa692360e8c28c0fac3b7c2b99a747a2bade
                                    • Opcode Fuzzy Hash: 0578ab3a45ddd83db25ed1639278925b4458dbb1453af53d3f18daeb2c6f7ba2
                                    • Instruction Fuzzy Hash: FB415BB0D047989FDB10CFAAD98579EBBF5EB48304F108129E814AB240D7B49845CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06004D0C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 812 6004d0c-600b4ec 815 600b4f2-600b4f7 812->815 816 600b59c-600b5bc call 6004b7c 812->816 818 600b4f9-600b530 815->818 819 600b54a-600b582 CallWindowProcW 815->819 823 600b5bf-600b5cc 816->823 825 600b532-600b538 818->825 826 600b539-600b548 818->826 821 600b584-600b58a 819->821 822 600b58b-600b59a 819->822 821->822 822->823 825->826 826->823
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0600B571
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: CallProcWindow
                                    • String ID:
                                    • API String ID: 2714655100-0
                                    • Opcode ID: f9fc4200b188fd17c3e1dae9863ffce2e872192dcaf8b9d557153d8ec379d5ce
                                    • Instruction ID: 9467ee377cbc1df25ed6769ed175353c0487057e0e043994a2ab33186bc743eb
                                    • Opcode Fuzzy Hash: f9fc4200b188fd17c3e1dae9863ffce2e872192dcaf8b9d557153d8ec379d5ce
                                    • Instruction Fuzzy Hash: 064129B89003058FEB54CF99C488BAABBF5FF88314F248499D419AB360D775E841CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05CFC0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1451 5cfc0a0-5cfc0de 1452 5cfc0e6-5cfc114 GlobalMemoryStatusEx 1451->1452 1453 5cfc11d-5cfc145 1452->1453 1454 5cfc116-5cfc11c 1452->1454 1454->1453
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 05CFC107
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578014228.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_5cf0000_PO_7413.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 366ec51637b53023ab59a97b657ab56b4486d8e5fe011e7e795b7ddf8fd2ce4c
                                    • Instruction ID: 64743f1266970fd519d615e52a32932da619736cece1a3b7852a6647b44d8b47
                                    • Opcode Fuzzy Hash: 366ec51637b53023ab59a97b657ab56b4486d8e5fe011e7e795b7ddf8fd2ce4c
                                    • Instruction Fuzzy Hash: D011DDB1D0062A9FCB10DF9AD544B9EFBF4BB48320F15856AD818A7240D378AA55CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 060035F8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1457 60035f8-6003638 1458 6003640-600366f LoadLibraryExW 1457->1458 1459 600363a-600363d 1457->1459 1460 6003671-6003677 1458->1460 1461 6003678-6003695 1458->1461 1459->1458 1460->1461
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06003662
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: a19a41160c02f94ec0844d131fba9684932ea9d3f7122080e377cacda6465d62
                                    • Instruction ID: 008e531aaeb27fe02e54837752cc0f85dc436a998b8bc071bb7504cec9c56990
                                    • Opcode Fuzzy Hash: a19a41160c02f94ec0844d131fba9684932ea9d3f7122080e377cacda6465d62
                                    • Instruction Fuzzy Hash: A411F3B6D003099FDB14CF9AD548ADEFBF4AB48720F14852ED419A7340C374A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 060035F7 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1464 60035f7-6003638 1465 6003640-600366f LoadLibraryExW 1464->1465 1466 600363a-600363d 1464->1466 1467 6003671-6003677 1465->1467 1468 6003678-6003695 1465->1468 1466->1465 1467->1468
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06003662
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 42fa2b64fafd50f806fb02c012c5d9741ab2ba98c919061eec47e93ade1e69fe
                                    • Instruction ID: 7d6a3d95ca6281282fa025a612a44faed8831e78e2ae437df776956a9483c5ae
                                    • Opcode Fuzzy Hash: 42fa2b64fafd50f806fb02c012c5d9741ab2ba98c919061eec47e93ade1e69fe
                                    • Instruction Fuzzy Hash: 9B11EFB6D002098FDB14CFAAD588ADEFBF4AB48720F14852AD419A7640C374A945CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0600D070 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleInitialize.OLE32(00000000), ref: 0600DF95
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: Initialize
                                    • String ID:
                                    • API String ID: 2538663250-0
                                    • Opcode ID: 05cf99073a9a86d59c90ae58526a679cf6627c04f7c40a534313f41c4ac304fd
                                    • Instruction ID: b01a9e234940d537b8e649612968b2d50670cf279d099b3e0116f81eb6a52aba
                                    • Opcode Fuzzy Hash: 05cf99073a9a86d59c90ae58526a679cf6627c04f7c40a534313f41c4ac304fd
                                    • Instruction Fuzzy Hash: 921133B1D443088FEB60DF9AC548B9EBFF8EB48324F14845AD419A7240C374A944CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0600DF3A Relevance: 1.5, APIs: 1, Instructions: 42comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleInitialize.OLE32(00000000), ref: 0600DF95
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.578400939.0000000006000000.00000040.00000800.00020000.00000000.sdmp, Offset: 06000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_6000000_PO_7413.jbxd
                                    Similarity
                                    • API ID: Initialize
                                    • String ID:
                                    • API String ID: 2538663250-0
                                    • Opcode ID: f7a0a32c5134b968423f5042e64f6af053d0ac2335ee0cbc11681520dd86cb2e
                                    • Instruction ID: 5c34d1e6db807fc9072253f8e6411b5024acbbc7f23f7bbf1b83e78deba7bcaa
                                    • Opcode Fuzzy Hash: f7a0a32c5134b968423f5042e64f6af053d0ac2335ee0cbc11681520dd86cb2e
                                    • Instruction Fuzzy Hash: C81100B5D003088FDB50DF9AD58879EBBF4AB08324F24895AD469B7690D374A984CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D4D8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569236857.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c7d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2765fd9ca9fb85553487ef78453fd8d10d21619fa0d8ab2dafc1d6e034ad1348
                                    • Instruction ID: 181779bed7d0ab55d6431647b3e294cbe834c33df1c14cf2ffe7ac0e094407be
                                    • Opcode Fuzzy Hash: 2765fd9ca9fb85553487ef78453fd8d10d21619fa0d8ab2dafc1d6e034ad1348
                                    • Instruction Fuzzy Hash: D921F1B1504240DFDB45CF14D9C0B16BFB5FF88328F24C669E80A0B24AC336D946DBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D3EC Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569236857.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c7d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43a7e828bec79c03af23556d273a07ba1fb4b576a8287a3930527acb1c69fbba
                                    • Instruction ID: a9c127fdb4b8ec2d5afd166497519f684fe6197020ef83960fde0953b07ba852
                                    • Opcode Fuzzy Hash: 43a7e828bec79c03af23556d273a07ba1fb4b576a8287a3930527acb1c69fbba
                                    • Instruction Fuzzy Hash: E221D372504240EFDB15DF14D9C0B26BF75FF94324F24CAA9E90E1B246C336E856DAA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C8D01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569281787.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c8d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f80074d6bdf5835dbe621aa5aa1db5d7dc12d04062d191386b61315e103b3630
                                    • Instruction ID: 78728557977952f5208bda8743fa28081bc316079ef27c54ca20c43071dbdc4d
                                    • Opcode Fuzzy Hash: f80074d6bdf5835dbe621aa5aa1db5d7dc12d04062d191386b61315e103b3630
                                    • Instruction Fuzzy Hash: 3D21F575504340DFDB14EF14D9C0B16BB65FB84318F24C969D84A4B286C336D847CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C8D005 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569281787.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c8d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 08f1a774671815e1961ce028c8a4bc850e4c85256682825b12785a31d166b276
                                    • Instruction ID: 98136741002c6ca7df35bf536026d2c7154f16b014f0a551fc104f0a12632774
                                    • Opcode Fuzzy Hash: 08f1a774671815e1961ce028c8a4bc850e4c85256682825b12785a31d166b276
                                    • Instruction Fuzzy Hash: 7E2180755093C08FDB02DF24D990715BF71EB46314F28C5EAD8898B697C33AD84ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D4D3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569236857.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c7d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                    • Instruction ID: 8b92ecff9bf5aaeec3233bcec80ccd28a4f2bd45499fa924abaea11c85145f06
                                    • Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                    • Instruction Fuzzy Hash: 6C11E6B6504280CFCB12CF14D5C4B16BF71FF94324F24C6A9D80A0B656C33AD956CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D3E7 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569236857.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c7d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                    • Instruction ID: 8c9656e6d2d614a3c6c0258e6a164182816fe90f6f61db55d577fb1325912f58
                                    • Opcode Fuzzy Hash: 29d2f0100e3109f4613dfdff40d42613bb56894c0d784d201462b3ed20c718eb
                                    • Instruction Fuzzy Hash: 2911E676504280DFCB02CF10D5C4B16BF72FF94324F24C6A9D8490B656C33AE956CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D629 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569236857.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c7d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7969d067ea76756342fac270451c2567cc879bc5103c71f2adbeeb75c702802
                                    • Instruction ID: 3b6c5d9aaa41f60c52c0987f01556de733ebe1af9d1d4a62085d5c8fe0f655d7
                                    • Opcode Fuzzy Hash: d7969d067ea76756342fac270451c2567cc879bc5103c71f2adbeeb75c702802
                                    • Instruction Fuzzy Hash: EC01F7714093809AE7108A2ADC84766FFE8DF41724F18C85AFD1E1A246C3799984C6B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C7D628 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.569236857.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_c7d000_PO_7413.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 807d41bd4f611d74e86d6e2f47b65c560301a5ca0caf5b52cb6416f7a1c30d6e
                                    • Instruction ID: 68032b47224cf8b2594dd9f99fe1a224ee7cf937336b42b1b8be364bde52fd8d
                                    • Opcode Fuzzy Hash: 807d41bd4f611d74e86d6e2f47b65c560301a5ca0caf5b52cb6416f7a1c30d6e
                                    • Instruction Fuzzy Hash: D8F0C2714083449EEB108A06DC84B62FFA8EF51734F18C85AED0D1B286C3799C84CAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%